When it comes to information security, every detail counts, including the way information is created, stored, maintained and destroyed.
Clause 7.5 of ISO 27001 addresses the “management of documented information”, an aspect often overlooked, but nonetheless crucial to the implementation of an effective and robust Information Security Management System (ISMS).
Take a moment to think about all the information your organization manages on a daily basis – from internal policies and procedures to customer data, financial reports and project plans. Each of these documents represents a facet of your business that needs to be managed and protected. That’s where clause 7.5 comes in.
It provides a framework to ensure that this information is properly created, updated, managed and ultimately destroyed, so as to protect not only your information assets, but also your organization’s reputation.
Clause 7.5 of ISO 27001 stipulates that the organization must establish, maintain and control the documented information necessary to support the operation of its ISMS.
This clause focuses on “how” documented information (such as policies, procedures, registers and artifacts) should be organized.
It’s important to remember that every organization is unique, and that the implementation of this clause may vary according to the size of the company, the type of information, its sector of activity and the skills of the people involved. Are we dealing with security specialists, accountants or plumbers?
It seems to me that clause 7.5 is often underestimated by organizations, since documents are often placed in Sharepoint, Google drive or other storage servers without much consideration for access, and documents are continually searched for without being easily found.
This approach not only fails to create a climate of confidence in our document management, but also reduces the effectiveness of internal communication and collaboration. For example, if there are three of us working on a file, we each have our own way of naming and filing our documents. We need to coordinate!
Without being obligatory, I believe it is essential to write down the answers to the following questions:
The nomenclature of our files
Each document must be uniquely identified, either by title, date or version number, to make it easier to use, find and, above all, update!
For example, a letter received from the government could be named as follows: YYYYMMDD – notice of assessment QC 2024.pdf
In the case of a document created for a customer, the following format could be used: Title – CustomerName – Version.pdf
Document templates
ISO 27001, in clause 7.5, doesn’t explicitly mention “document templates”, but it does talk about the management of documented information which may include document templates. In my view, document templates are essential to ensure consistency, clarity and ease of use.
Personally, I use two approaches, whichever suits the organization best. Either the use of an empty “template” file including the layout recognized by the organization, page headers, version history, etc., or the use of a checklist offered to people so that they can create their own files, but knowing that they must respect the checklist once the document has been created before considering it finished.
For example:
- Have a title and the author’s name on the cover;
- Place the document’s classification on the cover page and in the footer;
- Identify page numbers;
- Use the organization’s colors and logo in the top right-hand corner;
- Write using the corporate font such as :Arial 10.
How is review and quality assurance carried out?
Before publication, each document must be reviewed and approved to ensure that it is fit for purpose and complies with ISMS requirements.
Where our files are kept
Documents must be stored and preserved in such a way as to guarantee their accessibility, preservation and protection against loss of confidentiality, integrity and availability. So, do we know where our documents are stored?
Personally, I keep a list of locations and the classification level allowed for each location, along with the name of the person responsible for reviewing access rights.
How to manage versions of the same file
Whenever information is modified, a new version should be created and properly identified. This can be done by assigning a unique version number or date to each version of a document.
It is often useful to include a version in the file name, as well as a tracker in a table inside the document called “Version History”, to keep track of changes made to a document over time. This allows you to see who made changes, when they were made and what the nature of the changes were.
Version tracking also makes it easy to identify older iterations of a document, to avoid their incorrect use. In some cases, they may need to be retained for legal or knowledge reasons. These old versions can be placed in an archive directory or preservation vault.
Please note for Sharepoint or GoogleDrive users, your version history is located in the file itself, so there’s no need to keep copies of the same file.
How do I manage external documents?
These documents may include contracts with suppliers, agreements with partners, legal requirements, standards or even safety test reports!
- Identification: We need to identify the external documents that are relevant to the information security management system (ISMS). Do we have a list of these documents?
- Review and approval: Before they are used, these documents must be approved to confirm that they are relevant and correct.
- Distribution: Approved documents must be distributed to the appropriate people in the organization.
- Conservation and preservation: Documents must be conserved to protect against loss, destruction, alteration or unauthorized access.
- Review: External documents should be reviewed regularly to ensure that they are still current and relevant. If a document is no longer required, it should be securely deleted.
- Traceability: It is essential to keep records demonstrating that documents have been properly managed. This includes evidence of document review, approval, distribution and revision.
Publication management and document distribution
These documents we manage here sometimes need to be shared, to communicate with others. So we need to have a way of identifying “final” or approved documents. For example, what’s the difference between a policy undergoing modification and a final policy? There must be a distinction between the two that is obvious to the user.
I’ve seen documents named “Nomdufichier VFinale-ajusté-revu.docx” and another “nomdufichier Vfinale.docx”.
How do I know which document to use?
This is why the file naming and versioning procedure is so important.
What is the lifespan of documents and their destruction?
Obsolete documents must be identified and removed to prevent unintended use. However, if these documents are to be retained for legal or knowledge purposes, measures must be taken to distinguish them from current documents.
Success criteria
To determine whether we have met clause 7.5 of ISO27001, here are some questions an auditor might ask:
- How does your organization create and update its documents?
- How are documents identified?
- How are documents approved before publication?
- How are documents stored and maintained to ensure their accessibility and preservation?
- How are changes identified, reviewed and approved before implementation?
- How does your organization identify and remove obsolete documented information?
I invite you to click on “Follow” to continue learning more about the field of information security.
